Tivoli Access Manager Agent for Windows Installation Guide

IBM Tivoli Identity Manager Tivoli Access Manager Agent for Windows Installation Guide Version 4.5.0 SC32-1165-03

IBM Tivoli Identity Manager Tivoli Access Manager Agent for Windows Installation Guide Version 4.5.0 SC32-1165-03

Note: Before using this information and the product it supports, read the information in Appendix C, Notices, on page 43. First Edition (August 2003) This edition applies to version 4.5.0 of this agent and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2003. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Preface............... v Who should read this book......... v Publications.............. v Tivoli Identity Manager Agent library..... v Related publications........... v Accessing publications online....... vi Accessibility.............. vi Contacting software support......... vi Conventions used in this book........ vi Chapter 1. Overview......... 1 Basic Installation............. 1 Chapter Descriptions........... 1 Chapter 2. Agent Installation...... 3 Requirements.............. 3 Information Worksheet........... 3 Step 1: Installing the Agent........ 4 Step 2: Activating the Agent as a Service.... 4 Step 3: Configuring the Agent....... 4 Step 4: Installing the Agent s Certificate.... 4 Step 5: Installing the Agent s Profile..... 4 Step 6: Configuring the Agent for Event Notification.............. 4 Step 7: Configuring the Agent s Forms..... 4 Step 1: Installing the Agent......... 4 Step 2: Activating the Agent as a Service..... 6 Step 3: Configuring the Agent........ 6 Step 4: Installing the Agent s Certificate..... 6 Step 5: Installing the Agent s Profile...... 6 Step 6: Configuring the Agent for Event Notification 7 Step 7: Configuring the Agent s Forms...... 7 Chapter 3. Agent Profile Installation... 9 Requirements.............. 9 Installing the Agent Profile......... 9 Verifying the Agent Profile is Installed..... 10 Chapter 4. Agent Parameters Modification............ 13 Accessing the Agent Configuration Tool Main Menu 13 Viewing Configuration Settings........ 14 Changing Protocol Configuration Settings.... 14 Adding a Protocol........... 15 Removing a Protocol.......... 15 Configuring a Protocol......... 15 Setting Event Notification......... 17 Setting Attributes to be Reconciled..... 19 Modifying an Event Notification Context... 20 Changing the Configuration Key....... 21 Changing Activity Logging Settings...... 22 Changing Registry Settings......... 24 Modifying Non-encrypted Registry Settings.. 24 Multi-instance Settings......... 24 Changing Advanced Settings........ 25 Viewing Statistics............ 26 Accessing Help and Additional Options..... 26 Chapter 5. Certificate Installation... 29 Overview of SSL and Digital Certificates.... 29 Basic Configuration for Server-to-Agent SSL.. 30 Clustered Tivoli Identity Manager Configuration 30 Accessing the Certificate Configuration Tool Main Menu................ 30 Generating a Private Key and Certificate Request.. 32 Example of Certificate Request Script..... 33 Example of request.pem File........ 33 Installing the Certificate from a File...... 34 Installing the Certificate and Key from a PKCS12 File................. 34 Viewing Installed Certificates........ 34 Viewing CA Certificates.......... 34 Installing a CA Certificate......... 35 Deleting a CA Certificate.......... 35 Viewing Registered Certificates........ 35 Registering a Certificate.......... 35 Unregistering a Certificate......... 36 Appendix A. Agent Variables..... 37 Variable Descriptions........... 37 Variables by Tivoli Access Manager Agent Actions 38 System Login Add........... 38 System Login Change.......... 38 System Login Delete.......... 39 System Login Suspend......... 39 System Login Restore.......... 39 Reconciliation............ 39 Appendix B. Additional Installation Options.............. 41 Installation Options............ 41 Batch File Option........... 41 Console Option............ 41 Setup Arguments........... 41 Agent Removal............. 41 Appendix C. Notices......... 43 Trademarks.............. 44 Index............... 47 Copyright IBM Corp. 2003 iii

iv IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Preface Who should read this book Publications The IBM Tivoli Identity Manager Tivoli Access Manager v4.1 Agent for Windows (Tivoli Access Manager Agent) enables connectivity between the IBM Tivoli Identity Manager Server and a network of systems running the Tivoli Access Manager database. After the agent is installed and prepared, Tivoli Identity Manager manages access to Windows NT or Windows 2000 non-active directory resources with your site s security system. This manual describes how to install and prepare a Tivoli Access Manager Agent. This manual is intended for security administrators responsible for installing software on their site s computer systems. Readers are expected to understand security administration concepts. The person completing the installation procedure should also be familiar with their site s system standards. Readers should be able to perform routine security administration tasks. Read the descriptions of the Tivoli Identity Manager library, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online. Tivoli Identity Manager Agent library The publications in the Tivoli Identity Manager Agent library are: v Online user assistance for Tivoli Identity Manager Provides integrated online help topics for all Tivoli Identity Manager administrative tasks. v Tivoli Identity Manager Policy and Organization Administration Guide Provides topics for Tivoli Identity Manager administrative tasks. v Tivoli Identity Manager Server Configuration Guide Provides configuration information for single-server and cluster Tivoli Identity Manager configurations. Related publications Information related to Tivoli Identity Manager is available in the following publications: v v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/library/ The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available, in English only from the Glossary link on the left side of the Tivoli Software Library Web page: http://www.ibm.com/software/tivoli/library Copyright IBM Corp. 2003 v

Accessibility Accessing publications online The IBM publications for this product are available online in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format, or both at the Tivoli Software Library: Contacting software support http://www.ibm.com/software/tivoli/library To locate product publications in the library, click the Product manuals link on the left side of the Library page. Then, locate and click the name of the product on the Tivoli Software Information Center page. Product publications include release notes, installation guides, user s guides, administrator s guides, and developer s references. Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File Print). The product documentation includes the following features to aid accessibility: v Documentation is available in both HTML and convertible PDF formats to give the maximum opportunity for users to apply screen-reader software. v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images. Before contacting IBM Tivoli Software support with a problem, refer to the IBM Tivoli Software support Web site at: http://www.ibm.com/software/sysmgmt/products/support/ If you need additional help, contact software support using the methods described in the IBM Software Support Guide at the following Web site: http://techsupport.services.ibm.com/guides/handbook.html This guide provides the following information: v Registration and eligibility requirements for receiving support v Telephone numbers and e-mail addresses, depending on the country in which you are located v A list of information you should gather before contacting customer support Conventions used in this book This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths. The following typeface conventions are used in this book: Bold Bold text indicates selectable window buttons, field entries, and commands appearing in this manual except from within examples or the contents of files. vi IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Monospace italic Text in monospace type indicates the contents of files or the output from commands. Italic text indicates context-specific values such as: v path names v file names v user names v group names v system parameters v environment variables Preface vii

viii IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Chapter 1. Overview Basic Installation This installation guide provides all of the basic information necessary to install and configure the Tivoli Access Manager Agent components. This chapter provides a simple overview of the installation process and a brief overview of the information in each chapter. The following lists the basic procedures necessary to install, configure, and run the agent: v Install the agent software. v Activate the Tivoli Access Manager Agent as a service on the agent s system. v v v Chapter Descriptions Configure the agent s communication protocols to enable the Tivoli Access Manager Agent to communicate with the Tivoli Identity Manager Server. Install the agent s profile on the Tivoli Identity Manager Server. Configure the Tivoli Identity Manager Server to recognize the agent as a service. The Tivoli Access Manager Agent Installation Guide contains information pertinent to the proper installation and configuration of the Tivoli Access Manager Agent in the following chapters and appendices: Chapter 1, Overview Chapter 2, Agent Installation Chapter 3, Agent Profile Installation Chapter 4, Agent Parameters Modification Chapter 5, Certificate Installation Appendix A, Agent Variables Appendix B, Additional Installation Options Appendix C, Notices Provides an overview of this document and the basic procedures necessary to install and configure this agent. Contains detailed information about installing the agent. This chapter also contains additional steps required to configure the agent properly. Contains detailed information about installing the agent s profile on the Tivoli Identity Manager Server. Installing the agent s profile on the Tivoli Identity Manager Server allows the Tivoli Identity Manager Server to recognize the agent. If the agent profile is not installed on the Tivoli Identity Manager Server, the Tivoli Identity Manager Server will not be able to manage access to the Windows NT servers. Contains information about using the agentcfg tool. The agentcfg tool provides an easy way to configure various properties specific to the agent, such as communication protocols, logging settings, and so on. Contains information about using the CertTool tool. The CertTool tool provides an easy way to request, install, and register certificates for use with the agent. Contains information about the agent variables. Contains additional installation options information and information about uninstalling the agent. Contains legal notices for this agent. Copyright IBM Corp. 2003 1

2 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Chapter 2. Agent Installation This chapter describes the procedure to install and configure the Tivoli Access Manager Agent software. Each step includes a short procedure that completes one aspect of the overall agent installation process. You must complete the steps in the order they are listed. Requirements The following table identifies hardware, software, and authorization requirements to install the Tivoli Access Manager Agent. Verify that all of the requirements have been met before installing the Tivoli Access Manager Agent. Table 1. Requirements to install the agent System The agent must be installed on a server with a 32-bit x86-based microprocessor (486 minimum), at least 256 MB of memory, and at least 300 MB of free disk space. Operating System Windows NT 4.0 with SP6 or Windows 2000 workstation with SP2. Tivoli Access Manager Software Tivoli Access Manager Run-time Environment must be installed and operational on the system where the agent is installed. Tivoli Access Manager Client Network Connectivity System Administrator Authority Server Communication The Tivoli Access Manager run-time environment requires that an LDAP client be installed on the application deployment system. Note: The Tivoli Access Manager run-time environment installation enforces installation of the required software. For installation instructions, see the Tivoli Access Manager Base Installation Guide for your operating system. Tivoli Access Manager LDAP and GSKit version 4.1 must be installed and operational on the system where the agent is installed. The agent must be installed on a system that can communicate with the Tivoli Identity Manager Server through a TCP/IP network. The person completing the Tivoli Access Manager Agent installation procedure must have system administrator authority to complete the steps in this chapter. Communication between the Tivoli Identity Manager Server and the Tivoli Access Manager Agent should be tested with a low-level communication ping before installing any IBM software. This makes troubleshooting easier if you encounter installation problems. Information Worksheet Use the following worksheet to document information required to install and configure the Tivoli Access Manager Agent. Complete this worksheet before starting the installation procedure. The worksheet includes default values supplied by IBM and identifies the information you need to modify during installation. Copyright IBM Corp. 2003 3

Make a copy of the worksheet for each server where you are installing the Tivoli Access Manager Agent. For example, if you have five Windows servers where you are installing the Tivoli Access Manager Agent, you need five copies of the worksheet. Step 1: Installing the Agent The Tivoli Identity Manager Tivoli Access Manager Agent installation files are available for download from IBM s Web site. Contact your IBM account representative for the Web address and download instructions. Install the Tivoli Access Manager Agent using the provided executable installation program. The Tivoli Access Manager Agent default destination directory is the C:\Tivoli\Agents\TAM4Agent directory. For more information, see Step 1: Installing the Agent. You will need the following information: v Tivoli Access Manager v4.1 Agent administrator account ID v Tivoli Access Manager v4.1 Agent administrator account password Step 2: Activating the Agent as a Service Start the Tivoli Access Manager Agent as a service. For more information, see Step 2: Activating the Agent as a Service on page 6. Step 3: Configuring the Agent Configure the agent s communication protocol to use the DAML protocol to communicate with the Tivoli Identity Manager Server. For more information, see Step 3: Configuring the Agent on page 6. Step 4: Installing the Agent s Certificate Install the agent s certificate. This certificate is used by the DAML protocol during communication with the Tivoli Identity Manager Server. For more information, see Step 4: Installing the Agent s Certificate on page 6. Step 5: Installing the Agent s Profile Install the agent s profile on the Tivoli Identity Manager Server. For more information, see Step 5: Installing the Agent s Profile on page 6. Step 6: Configuring the Agent for Event Notification Configure the Tivoli Access Manager Agent for event notification. This step is optional. For more information, see Step 6: Configuring the Agent for Event Notification on page 7. Step 7: Configuring the Agent s Forms Configure the agent s forms on the Tivoli Identity Manager Server. For more information, see Step 7: Configuring the Agent s Forms on page 7. Step 1: Installing the Agent An executable installation program is provided for the Tivoli Access Manager Agent. When you run the installation program, you can accept the default settings or select new values. 4 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

The Tivoli Identity Manager Tivoli Access Manager Agent installation files are available for download from IBM s Web site. Contact your IBM account representative for the Web address and download instructions. To install the agent, do the following: 1. Download the Tivoli Access Manager Agent installation zip file from IBM s Web site. 2. Extract the contents of the Tivoli Access Manager Agent installation zip file into a temporary directory. 3. Select Run... from the Start menu and type the path to the temporary directory followed by Setup.exe. For example: C:\Temp\Setup.exe The Welcome dialog window appears. 4. Click Next. The License Agreement window opens. 5. Read the license agreement and decide whether to accept its terms. If you do, click Accept. 6. Click Next. The Select Destination Directory dialog window appears. Installer Click Next to install < agentname> to this directory, or click Browse to install to a different directory. Directory Name: C:\tivoli\agents\< agentname> Browse... InstallShield < Back Next > Cancel Figure 1. Select Destination Directory dialog window 7. Accept the default or select an alternate destination path and click Next. The Install Summary dialog window appears. 8. Click Next. The Access Manager Account Setup dialog is displayed. 9. Type the Tivoli Access Manager administrator account ID and password in the respective fields and click Next. Chapter 2. Agent Installation 5

The Tivoli Access Manager v4.1 Agent is installed and a completion dialog is displayed. 10. Click Finish. Step 2: Activating the Agent as a Service The Tivoli Access Manager Agent is installed on the Windows NT Server and automatically starts whenever the server is rebooted. However, the service is not active after installation. Select the Tivoli Access Manager Agent service to start the Tivoli Access Manager Agent software on the target platform. Step 3: Configuring the Agent The Tivoli Access Manager Agent uses the DAML protocol to ensure secure communication with the Tivoli Identity Manager Server. Default protocol values are provided. However, you must configure the DAML protocol for your site s systems. Refer to Changing Protocol Configuration Settings on page 14 for more information. Note: A certificate must be installed for the DAML protocol. Refer to Chapter 5, Certificate Installation, on page 29 for more information about installing certificates. Step 4: Installing the Agent s Certificate A certificate must also be installed for the DAML protocol. You must obtain a production certificate from a well-known Certificate Authority or create your own certificate using your own Certificate Authority. The Tivoli Access Manager Agent does not come prepackaged with a certificate. Refer to Chapter 5, Certificate Installation, on page 29 for more information about installing certificates. When you install the new certificate, you will also need to install the new Certificate Authority on the Tivoli Identity Manager Server. Refer to the Tivoli Identity Manager Server Configuration Guide for more information. Note: You must configure the DAML protocol before installing your certificate. Stop and restart the agent after the certificate is installed. Step 5: Installing the Agent s Profile Before an agent can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the agent as a service. See to Chapter 3, Agent Profile Installation, on page 9 for more information on installing the agent s profile on the Tivoli Identity Manager Server. Note: If this is an upgrade of an existing agent, the new agent schema will not be reflected immediately. The Tivoli Identity Manager system stores the agent schema in memory. However, this cache is periodically refreshed and the new agent schema will be reflected after the cache is refreshed. Re-boot the Tivoli Identity Manager system to refresh the agent schema immediately. 6 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Step 6: Configuring the Agent for Event Notification You can choose to configure event notification for agents configured to use the DAML protocol. Complete this step only if you want to monitor agent attributes for changes that will trigger event notifications. Note: This step is optional. The agent can accept requests from the Tivoli Identity Manager Server whether you configure event notification or not. To do this, identify the Tivoli Identity Manager Server. 1. Select Configure Protocol from the Agent Protocol Configuration Menu. For more information, see Changing Protocol Configuration Settings on page 14. 2. Select DAML as the protocol to configure. 3. Select SRV_NODENAME. 4. Specify the IP address or fully-qualified hostname that identifies the Tivoli Identity Manager Server and press Enter. The Protocol Properties menu reappears and displays your new settings. 5. Select SRV_PORTNUMBER. 6. Specify the port number the Tivoli Identity Manager Server uses to connect to the agent and press Enter. The Protocol Properties menu reappears and displays your new settings. 7. Select SRV_USERNAME. 8. Specify the username the Tivoli Identity Manager Server uses to connect to the agent and press Enter. The Protocol Properties menu reappears and displays your new settings. 9. Select SRV_PASSWORD 10. Specify the password for the username the Tivoli Identity Manager Server uses to connect to the agent and press Enter. The Protocol Properties menu reappears and displays your new settings. Step 7: Configuring the Agent s Forms Configure the agent s service maintenance and account maintenance forms on the Tivoli Identity Manager Server. Refer to the Tivoli Identity Manager Policy and Organization Administration Guide for more information. Chapter 2. Agent Installation 7

8 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Chapter 3. Agent Profile Installation Requirements Before an agent can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the agent as a service. The Tivoli Access Manager Agent comes with a second installation script that installs the agent s profile on the Tivoli Identity Manager Server as a service profile. This chapter describes the procedure to install and configure the Tivoli Access Manager Agent profile on the Tivoli Identity Manager Server. Each step includes a short procedure that completes one aspect of the overall profile installation process. You must complete the steps in the order they are listed. Notes: 1. If you intend to install multiple agent profiles on the Tivoli Identity Manager Server, it is important that you install them one at a time. You must wait for a single profile installation to complete before starting the next profile installation. 2. If you are upgrading the agent software, you must also upgrade the agent profile on the Tivoli Identity Manager Server. 3. In a WebLogic Application Server cluster, the agent profile must be installed on every managed server. If the agent profile is not installed on every member of the cluster, the managed server that did not have the agent profile installed will not recognize the agent as a service if the other managed servers become unavailable. 4. In a WebSphere Application Server cluster, you should install the agent profile on the computer on which Network Deployment Manager is installed, although the agent profile can be installed on any server in the cluster. The profile information is pushed into the directory and becomes available to all cluster members. The following table identifies hardware, software, and authorization requirements to install the Tivoli Access Manager Agent profile on the Tivoli Identity Manager Server. Verify that all the requirements have been met before installing the Tivoli Access Manager Agent profile. Table 2. Requirements before installing an agent profile Server System Administrator Authority The Tivoli Identity Manager Server must be installed and running before the agent s profile can be installed. The person completing the Tivoli Access Manager Agent profile installation must have root access to the Tivoli Identity Manager Server to complete the procedures in this chapter. Installing the Agent Profile 1. Log in to the Tivoli Identity Manager Server as root. 2. Download the Tivoli Access Manager Agent installation zip file from IBM s Web site and extract the contents of the zip file into a temporary directory. Copyright IBM Corp. 2003 9

Note: Contact your IBM account representative for the Web address and download instructions for agent installation files. 3. Complete one of the following: v For a Tivoli Identity Manager Server installed on a UNIX platform: Change the working directory to the temporary directory where you extracted the agent installation files. #cd/tmp where tmp is the path of the directory containing the agent installation files. Run the Tivoli Access Manager Agent profile installation script that is appropriate for your operating system. #./tam4profile_<operating system>.bin where <operating system> is the name of your operating system, such as aix, solaris, or hpxxxx. v A graphical user interface appears. For Tivoli Identity Manager Servers installed on Windows: Select Run... from the Start menu, type the path to the temporary directory where you extracted the agent installation followed by tam4profile.exe. For example: C:\temp\tam4profile.exe The Welcome dialog window appears. 4. Click Next. The Select Tivoli Identity Manager Home Directory screen appears. 5. Type the Tivoli Identity Manager Server home directory in the text field and click Next. You can also select the directory by clicking Browse... and browsing to the correct directory. You must install the agent profile in the same home directory in which the Tivoli Identity Manager Server is installed. Note: If the installation program cannot determine whether the Tivoli Identity Manager Server home directory that you entered is correct, the ITIM Not Found dialog window is displayed. The Install Summary dialog window appears. 6. Click Next. The Installation Progress dialog window appears. Upon successful installation, the Applying Schema Updates window appears, and any schema updates will be applied. The Install Complete dialog window appears after installation is complete. 7. Click Finish to conclude the installation process. Verifying the Agent Profile is Installed To ensure that the agent profile installed correctly, navigate to the directory where agent profile files are installed. If the agent profile installation was successful, an agent profile directory will be created in the remote_resources folder. Examples are provided below: 10 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

For Windows: C:\itim\data\remote_resources\nt40profile\ For UNIX: /itim/data/remote_resources/nt40profile/ Chapter 3. Agent Profile Installation 11

12 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Chapter 4. Agent Parameters Modification This chapter describes how to use agentcfg, the provided agent configuration program, to view or modify Tivoli Access Manager Agent parameters. All modifications made to settings with this tool take effect immediately. Accessing the Agent Configuration Tool Main Menu The following procedure describes how to access the main menu of the agentcfg tool for Tivoli Access Manager Agent parameters. 1. Select Programs from the Start menu, select Accessories, and then select Command Prompt. The DOS Command Prompt window appears. 2. Change to the agent s bin directory. Type the following, if the Tivoli Access Manager Agent directory is in the default location: cd \Tivoli\Agents\TAM4Agent\bin 3. Type agentcfg -agent TAM4Agent at the prompt. Enter configuration key for Agent TAM4Agent : You can also use agentcfg to view or change configuration settings from a remote computer. See the table in Accessing Help and Additional Options on page 26 for procedures on using the -hostname argument. 4. Type the configuration key for the Tivoli Access Manager Agent. The default configuration key is agent. See Changing Protocol Configuration Settings on page 14 for procedures to change the configuration key. The Main Configuration menu appears. TAM4Agent 4.5.0 Agent Main Configuration Menu ------------------------------------------- A. Configuration Settings. B. Protocol Configuration. C. Event Notification D. Change Configuration Key. E. Activity Logging. F. Registry Settings. G. Advanced Settings. H. Statistics X. Done Select menu option: This chapter includes a section for each of the following main functions: v For option A, see Viewing Configuration Settings on page 14 v For option B, see Changing Protocol Configuration Settings on page 14 v For option C, see Setting Event Notification on page 17 v For option D, see Changing the Configuration Key on page 21 v For option E, see Changing Activity Logging Settings on page 22 v For option F, see Changing Registry Settings on page 24 v For option G, see Changing Advanced Settings on page 25 Copyright IBM Corp. 2003 13

v For option H, see Viewing Statistics on page 26 Viewing Configuration Settings The following procedure describes how to view the Tivoli Access Manager Agent configuration settings. 1. Type option A (Configuration Settings) at the main menu prompt. The configuration settings for the Tivoli Access Manager Agent appear. The following is a sample of the Tivoli Access Manager Agent configuration settings. Configuration Settings ------------------------------------------- Name : TAM4Agent Version : 4.5.0 ADK Version : 4.27 ERM Version : 4.27 enrole Version : 4.0 License : NONE Asynchronous ADD Requests : TRUE (Max.Threads:3) Asynchronous MOD Requests : TRUE (Max.Threads:3) Asynchronous DEL Requests : TRUE (Max.Threads:3) Asynchronous SEA Requests : TRUE (Max.Threads:3) Available Protocols : DAML, FTP Configured Protocols : DAML Logging Enabled : TRUE Logging Directory : C:\Tivoli\Agents\TAM4Agent\Log Log File Name : TAM4Agent.log Max. log files : 3 Max.log file size (Mbytes) : 1 Debug Logging Enabled : TRUE Detail Logging Enabled : FALSE Press any key to continue 2. Press any key to return to the main menu. Changing Protocol Configuration Settings The agent can communicate with the Tivoli Identity Manager Server using DAML or FTP. By default, agents are configured to use DAML as the communication protocol. Procedures provided in this section contain instructions for modifying DAML protocol configuration settings. Configuring the agent to use FTP requires additional configuration not provided in this section. The following procedure describes how to change the Tivoli Access Manager Agent protocol configuration settings. This section also describes the purpose of the provided functions. 1. Type B (Protocol Configuration) at the main menu prompt. The Protocol Configuration menu appears. The configured and available protocols for your server display above the menu options. The DAML protocol is configured and available by default for the Tivoli Access Manager Agent. 14 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Agent Protocol Configuration Menu ----------------------------------- Available Protocols: DAML, FTP Configured Protocols: DAML A. Add Protocol. B. Remove Protocol. C. Configure Protocol. X. Done Select menu option 2. See the following procedure that corresponds with the option that you want to select: v For option A, see Adding a Protocol v For option B, see Removing a Protocol v For option C, see Configuring a Protocol Type X to return to the main menu. Adding a Protocol 1. Type A (Add Protocol) at the Protocol Configuration menu prompt. The Add New Protocol menu appears and displays protocols that are available on your server. If there are no protocols to add, the Protocol Configuration menu reappears. 2. Type the menu option letter of the protocol that you want to add. The Protocol Configuration menu reappears. The protocol that you added appears as a Configured Protocol. See the procedure for Configuring a Protocol to modify the default configuration settings for the protocol that you added. Removing a Protocol 1. Type B (Remove Protocol) at the Protocol Configuration menu prompt. The Remove Protocol menu appears and displays all protocols that have been added. If there are no protocols to remove, the Protocol Configuration menu reappears. 2. Type the menu option letter of the protocol that you want to remove. The Protocol Configuration menu reappears and the protocol that you removed is no longer listed as a configured protocol. However, the protocol remains as an available protocol that can be added again. Configuring a Protocol 1. Type C (Configure Protocol) at the Protocol Configuration menu prompt. The Configure Protocol menu appears. 2. Type the menu option letter of the protocol that you want to configure. The Protocol Properties menu for the configured protocol appears with protocol properties. Note: The properties on your menu may be different from the ones shown. The following is an example of the DAML protocol properties: Chapter 4. Agent Parameters Modification 15

DAML Protocol Properties -------------------------------------------------------------------- A. PORTNUMBER 45580 ;Protocol Server port number. B. USERNAME ****** ;Authorized user name. C. PASSWORD ****** ;Authorized user password. D. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name. E. SRV_PORTNUMBER 443 ;Event Notif. Server port number. F. SRV_USERNAME ****** ;Event Notif. user name. G. SRV_PASSWORD ****** ;Event Notif. Server password. H. VALIDATE_CLIENT_CE FALSE ;Require client certificate. X. Done Select menu option: 3. Type the menu option letter of the protocol property that you want to configure. See the table below for additional information about the menu options for the DAML protocol. Table 3. Menu options for the DAML protocol Type this Option A (PORTNUMBER) To Accomplish this The following prompt appears: Modify Property PORTNUMBER : Type a different port number, for example, 7004 This is the port number the Tivoli Identity Manager Server uses to connect to the agent. B (USERNAME) The following prompt appears: Modify Property USERNAME : Type a username, for example, admin This is the username the Tivoli Identity Manager Server uses to connect to the agent. C (PASSWORD) The following prompt appears: Modify Property PASSWORD : Type a password, for example, ******* This is the password for the username the Tivoli Identity Manager Server uses to connect to the agent. D (SRV_NODENAME) The following prompt appears: Modify Property SRV_NODENAME : Type a server name, for example, 192.168.6.152 This is the DNS name or IP address of the Tivoli Identity Manager Server. E (SRV_PORTNUMBER) The following prompt appears: Modify Property SRV_PORTNUMBER : Type a different port number to access the Tivoli Identity Manager Server, for example, 7004 This is the port number the agent uses to connect to the Tivoli Identity Manager Server. 16 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Table 3. Menu options for the DAML protocol (continued) Type this Option F (SRV_USERNAME) To Accomplish this The following prompt appears: Modify Property SRV_USERNAME : Type a different username, for example, admin This is the username the agent uses to connect to the Tivoli Identity Manager Server. G (SRV_PASSWORD) The following prompt appears: Modify Property SRV_PASSWORD : Type a different password, for example, ***** This is the password for the username the agent uses to connect to the Tivoli Identity Manager Server. H (VALIDATE_CLIENT_CE) The following prompt appears: Modify Property VALIDATE_CLIENT_CE : Type TRUE to require the Tivoli Identity Manager Server to send a certificate when communicating with the agent. Type FALSE to allow the Tivoli Identity Manager Server to communicate with the agent without a certificate. Note: You must configure options D through H of the CertTool if you set this option to TRUE. Setting Event Notification 4. Change the value and press Enter. The Protocol Properties menu reappears and displays your new settings. Note: Press Enter to return to the Protocol Properties menu without modifying the selected value. The following procedure describes how to set Event Notification for the Tivoli Identity Manager Server. Event Notification updates the Tivoli Identity Manager Server with changes to the Tivoli Identity Manager Server at set intervals. Note: The example menu shows all the options displayed when Event Notification is enabled. If Event Notification is disabled, not all of the options are displayed. 1. Type C (Event Notification) at the main menu prompt. The Event Notification Menu appears. Chapter 4. Agent Parameters Modification 17

Event Notification Menu -------------------------------------------------------------- * Reconciliation interval : 1 day(s) * Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s). * Configured Contexts : Jupiter, dd309 A. Enabled B. Time interval between reconciliations. C. Set Processing cache size. (currently: 50 Mbytes) D. Start event notification now. E. Set attributes to be reconciled. F. Reconciliation process priority. (current: 1) G. Add Event Notification Context. H. Modify Event Notification Context. I. Remove Event Notification Context. J. List Event Notification Contexts. X. Done Select menu option: 2. Type the menu option letter of the Event Notification option that you want to change. Note: Option A must be enabled in order for the values of the other options to take affect. Table 4. Event notification options Type this Option To Accomplish this A If this option is enabled, the agent updates the Tivoli Identity Manager Server with changes to the agent at regular intervals. B (Time interval between reconciliations) When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled The following prompt appears: Enter new interval ([ww:dd:hh:mm:ss]) [00:01:00:00:00]: Type a different reconciliation interval. C (Set processing cache size) Press Enter to return to the Agent Activity Logging menu without changing the value. The following prompt appears: Enter new cache size[5]: Type a different value to change the processing cache size. D (Start event notification now) E (Set attributes to be reconciled) Press Enter to return to the Agent Activity Logging menu without changing the value. If this option is selected, event notification is started. The Event Notification Entry Types menu appears. See Setting Attributes to be Reconciled on page 19 for more information. 18 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Table 4. Event notification options (continued) Type this Option F (Reconciliation process priority) To Accomplish this The following prompt appears: Enter new thread priority [1-10]: Type a different thread value to change reconciliation process priority. Press Enter to return to the Agent Activity Logging menu without changing the value. G (Add Event Notification Context) The following prompt appears: Context name : Type the new context name and press Enter. The new context is added. H (Modify Event Notification Context) I (Remove Event Notification Context) A menu listing the available contexts appears. See Modifying an Event Notification Context on page 20 for more information. The Remove Context menu appears. Select the context to remove and the following prompt appears: Delete context context1? [no]: Press Enter to exit without deleting the context or type Yes and press Enter to delete the context. J (List Event Notification Contexts) The Event Notification Contexts are displayed in the following format: Context Name : Context1 Target DN : erservicename=context1,o=ibm, ou=ibm,dc=com --- Attributes for search request --- {search attributes listed} ----------------------------------------------- 3. Press Enter if you changed the value for option B, C, E or F. The Event Notification menu reappears and displays your new settings. Note: The other options are changed automatically when you type the corresponding menu option letter. Setting Attributes to be Reconciled Setting attributes to be reconciled consists of selecting attributes that will trigger event notifications when their values change. Attributes that change frequently (password age or last successful logon, for example) can be omitted. 1. Type E (Set attributes to be reconciled) at the Event Notification Menu. The Event Notification Entry Types menu appears. Event Notification Entry Types ------------------------------------------- A. USER B. GROUP X. Done Select menu option: 2. Type A for attributes returned during a user reconciliation or type B for attributes returned during a group reconciliation. Chapter 4. Agent Parameters Modification 19

The Event Notification Attribute Listing for the selected reconciliation type appears. Note: The default setting lists all attributes the agent supports. Event Notification Attribute Listing ------------------------------------- (a) ** (b) ** (c) ** (d) ** (e) ** (f) ** (g) ** (h) ** (i) ** (j) ** (k) ** (l) ** (m) ** (o) ** (q) ** (r) ** (s) ** (t) ** (p)rev page 1 of 3 (n)ext ----------------------------- X. Done Select menu option: 3. Type the letter option of the attribute to exclude from an event notification. Attributes that are marked with the asterisks are returned during the event notification. Attributes that are not marked with asterisks are not returned during the event notification. Modifying an Event Notification Context 1. Type H (Modify Event Notification Context) at the Event Notification menu. The Modify Context Menu appears. Modify Context Menu ------------------------------ A. Context1 B. Context2 C. Context3 X. Done Select menu option: 2. Select the desired context. The Modify Context menu for the selected context appears. A. Set attributes for search B. Target DN: C. Delete Baseline Database X. Done Select menu option: See Adding Search Attributes for Event Notification for option A. See Configuring the Target DN for Event Notification Contexts on page 21 for option B. See Removing the Baseline Database for Event Notification Contexts on page 21 for option C. Adding Search Attributes for Event Notification 1. Type A (Set attributes for search) at the desired context s Modify Context menu. The Reconciliation Attribute Passed to Agent menu appears. 20 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Reconciliation Attributes Passed to Agent for Context: Context1 ---------------------------------------------------- ---------------------------------------------------- A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option: 2. Select the desired option and complete the requested information at the prompts. The Reconciliation Attributes Passed to Agent menu reappears with the changes displayed. Configuring the Target DN for Event Notification Contexts 1. Type B (Target DN) at the desired context s Modify Context menu. The following prompt appears: Enter Target DN: 2. Type the target DN for the context and press Enter. The target DN for the event notification context must be in the following format: erservicename=nameofservice,o=organizationname,ou=tenantname,dc=com Each element of the DN is defined as follows: erservicename Name of the target service used by the product name. o ou Name of the organization in the product name. Name of the tenant in which the organization is located. If the product name is an enterprise installation, this is the name of the organization. dc=com Root of the directory tree. The selected context s Modify Context menu reappears with the new target DN listed. Removing the Baseline Database for Event Notification Contexts This option is only available after a context is created and a reconciliation is run on the context to create a Baseline Database file. Type C (Delete Baseline Database) at the desired context s Modify Context menu. The selected context s Modify Context menu reappears with the Delete Baseline Database option removed. Changing the Configuration Key The following procedure describes how to change the Tivoli Access Manager Agent configuration key. You use this key as a password to access the configuration tool from the selected agent. 1. Type D (Change Configuration Key) at the main menu prompt. 2. Change the value and press Enter. Enter new configuration key for Agent TAM4Agent 4.5.0 : Chapter 4. Agent Parameters Modification 21

Press Enter to return to the Main Configuration menu without changing the configuration key. The default configuration key is agent. Note: Enter a configuration key that you can easily remember. A message appears: Configuration key successfully changed. The configuration program exits and the main prompt reappears. Changing Activity Logging Settings The following procedure describes how to change the Tivoli Access Manager Agent activity logging settings. When you enable logging, Tivoli Identity Manager maintains a log file of all transactions in a dated archive log file, TAM4Agent.log. 1. Type E (Activity Logging) at the main menu prompt. The Agent Activity Logging menu appears. The following sample shows the default activity logging settings. Agent Activity Logging Menu ------------------------------------- A. Activity Logging (Enabled). B. Logging Directory (current: C:\Tivoli\Agents\TAM4Agent\Log). C. Activity Log File Name (current: TAM4Agent.log). D. Activity Logging Max. File Size ( 1 mbytes) E. Activity Logging Max. Files ( 3) F. Debug Logging (Enabled). G. Detail Logging (Disabled). H. Base Logging (Disabled). X. Done Select menu option: 2. Type the menu option letter of the activity logging option that you want to change. Note: Option A (Activity Logging) must be enabled in order for the values of the other options to take effect. Table 5. Event notification options Type this Option A (Activity Logging) B (Logging Directory) To Accomplish this Set this option to enabled and Tivoli Identity Manager maintains a log file of all transactions in a dated archive log file. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled Type a different value for the logging directory, for example, C:\Log. When the logging option is enabled, details about each access request are stored in the logging file that is located in this directory. Press Enter to return to the Agent Activity Logging menu without changing the value. 22 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Table 5. Event notification options (continued) Type this Option C (Activity Log File Name) To Accomplish this Type a different value for the log file name. When the logging option is enabled, details about each access request are stored in the logging file. Press Enter to return to the Agent Activity Logging menu without changing the value. D (Activity Logging Max File Size) Type a new value, for example, 10. The oldest data is archived when the log file reaches the maximum file size. File size is measured in megabytes. Activity log file size can exceed disk capacity. Press Enter to return to the Agent Activity Logging menu without changing the value. E (Activity Logging Max Files) Type a new value up to 100, for example, 5. The agent automatically deletes the oldest activity logs beyond the specified limit. Press Enter to return to the Agent Activity Logging menu without changing the value. F (Debug Logging) G (Detail Logging) H (Base Logging) If this option is set to enabled, the agent includes the debug statements in the log file of all transactions. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled If this option is set to enabled, the agent maintains a detailed log file of all transactions. Note: The detail logging option should be used for diagnostic purposes only. When the detail logging option is on, the application s performance can be adversely affected. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled If this option is set to enabled, the agent maintains a log file of all transactions in the ADK and library files. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled 3. Press Enter if you changed the value for option B, C, D, or E. The Agent Activity Logging menu reappears and displays your new settings. Note: The other options are changed automatically when you type the corresponding menu option letter. Chapter 4. Agent Parameters Modification 23

Changing Registry Settings The following procedure describes how to change the Tivoli Access Manager Agent registry settings. 1. Type F (Registry Settings) at the main menu prompt. The Registry menu appears. TAM4Agent 4.5.0 Agent Registry Menu ------------------------------------------- A. Modify Non-encrypted registry settings. B. Modify encrypted registry settings. C. Multi-instance settings. X. Done Select menu option: 2. See the following procedures on modifying registry settings. Note: There are no encrypted registry settings for this agent. Modifying Non-encrypted Registry Settings 1. Type A (Modifying Non-encrypted Registry Settings) at the Registry menu prompt. The Non-encrypted Registry settings menu appears. Agent Registry Items --------------------------- 01. ENROLE_Version 4.0 02. ExecTimeout 6000 03. ManageHomeDirs TRUE 04. ReconBufferSize -1 05. ReconHomeDirSecurity FALSE 06. ReconLastLogon FALSE 07. ReconLastLogonAllowErrors FALSE 08. WtsEnable FALSE -------------------------------- Page1of1 A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option: 2. Type one of the following options: v A) Add new attribute v B) Modify attribute value v C) Remove attribute v X) Done 3. Type the registry item name, and press Enter. 4. Type the registry item value, if you selected option A or B, and press Enter. The non-encrypted registry settings menu reappears and displays your new setting(s). Multi-instance Settings This option allows you to configure multi-instance settings. Note: This option is only valid if the agent can support multi-instances. 24 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

1. Type C (Multi-instance Settings) at the Registry Menu prompt. The Tivoli Access Manager Agent Instance Class Menu appears. TAM4Agent 4.5.0 Agent Instance Class Menu ------------------------------------------------------- ------------------------------------------------------- A. Select instance class. X. Done. Changing Advanced Settings 2. Type one of the available options. 3. Type the requested information and press Enter. The Tivoli Access Manager Agent Instance Class Menu reappears and displays your new settings. The following procedure describes how to change the Tivoli Access Manager Agent thread count settings for the following types of requests: v System Login Add v System Login Change v System Login Delete v Reconciliation These settings determine the maximum number of requests that the Tivoli Access Manager Agent processes concurrently. 1. Type G (Advanced Settings) at the main menu prompt. The Advanced Settings menu appears. The following sample shows the default thread count settings. TAM4Agent 4.5.0 Advanced Settings Menu ------------------------------------------- A. Single Thread Agent (current:true) B. ADD max. thread count. (current:3) C. MODIFY max. thread count. (current:3) D. DELETE max. thread count. (current:3) E. SEARCH max. thread count. (current:3) F. Allow User EXEC procedures (current:false) G. Archive Request Packets (current:false) H. UTF8 Conversion support (current:true) I. Pass search filter to agent (current:false) J. Thread Priority Level (1-10) (current:4) X. Done Select menu option: 2. Type the menu option letter of the advanced setting that you want to change. Note: The UTF8 Conversion support setting must be set to FALSE to support Western European character sets. Table 6. Menu options for the DAML protocol Type this Option A (Single Thread Agent) B (ADD max. thread count) C (MODIFY max. thread count) To Accomplish this Forces the agent to allow only one request at a time. Controls how many simultaneous ADD requests can run at one time. Controls how many simultaneous MODIFY requests can run at one time. Chapter 4. Agent Parameters Modification 25

Table 6. Menu options for the DAML protocol (continued) Type this Option D (DELETE max. thread count) E (SEARCH max. thread count) F (Allow User EXEC procedures) G (Archive Request Packets) H (UTF8 Conversion support) I (Pass search filter to agent) To Accomplish this Controls how many simultaneous DELETE requests can run at one time. Controls how many simultaneous SEARCH requests can run at one time. Determines whether the agent allows pre- and post-exec functions. Enabling this option is a potential security risk. This option is disabled by default. Instructs the agent to retain copies of the request packets in an archive. This option is specific to the FTP protocol and is used primarily for debugging purposes. By default, request packets are deleted once they have been read unless this option is enabled. This option is no longer used. Provides filtering functionality for search requests by issuing a full search to the agent and then filtering the objects as they are pipelined back to the server. Currently, this agent does not support processing filters directly. This option should always be FALSE. J (Thread Priority Level (1-10)) Sets the thread priority level for the agent. Viewing Statistics 3. Change the value and press Enter. The Advanced Settings menu reappears and displays your new settings. The following procedures describes how to view an event log for the Tivoli Access Manager Agent. 1. Type H (Statistics) at the main menu prompt. The activity history for the agent is displayed. TAM4Agent 4.5.0 Agent Request Statistics -------------------------------------------------------------------- Date Add Mod Del Ssp Res Rec ----------------------------------------------------------------- 11/15/02 000001 000000 000000 000000 000000 000001 ----------------------------------------------------------------- X. Done 2. Type X to return to the Main Configuration Menu. Accessing Help and Additional Options The following describes how to access the agentcfg help menu and use the help arguments. 1. Return to the Tivoli Access Manager Agent bin directory by completing one of the following: 26 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

v Type X from the Main Configuration menu prompt. v Complete procedures 1 and 2 of Accessing the Agent Configuration Tool Main Menu on page 13. 2. Type agentcfg -help at the prompt to view the help menu. The following list of possible commands appears: -version ; -hostname < value> ; -findall ; -list ; -agent <value> ; -tail ; -schema ; -portnumber <value>; -netsearch <value> ; -confidencetest ; -setup ; -help ; Show version Target nodename to connect to (Default:Local host IP address) Find all agents on target node List available agents on target node Name of agent Display agent s activity log Display agent s attribute schema Specified agent s TCP/IP port number Lookup agents hosted on specified subnet Confidence test Confidence test setup Display this help screen The following table describes the purpose of the provided arguments. Table 7. Command argument purposes -version Use this argument to display the agentcfg version. -hostname <value> Use the -hostname argument with any of the following commands to specify a different host: v -findall v -list v -tail v -agent -findall -list -agent <value> -tail -schema -portnumber <value> -netsearch <value> Enter a hostname or IP address as the value. Use this argument to search and display all possible port addresses for all agents. Must be used with the -list argument. Add the -hostname argument to search a remote host. Use this argument to search and display agents found at default ports. By default, the argument searches the local host of the Tivoli Access Manager Agent. Use the -hostname argument to search a different host. Use this argument to specify the agent that you want to configure. Enter an agent name as the value. Use this argument with the -hostname argument to modify the configuration setting from a remote host. You can also use this argument with the -tail argument. Use this argument with the -agent argument to display an agent s activity log. Add the -hostname argument to display the log file for an agent on a different host. Use this argument with the -agent argument to display an agent s attribute schema. Use this argument with the -agent argument to specify an agent s TCP/IP port number. Use this argument with the -agent argument to display all agents installed on the system. Chapter 4. Agent Parameters Modification 27

Table 7. Command argument purposes (continued) -confidencetest -setup -help Use this argument to run a test to add, modify, search and delete a request to the agent. This allows you to verify the agent connection to the managed resource without the Tivoli Identity Manager Server. Use this argument to configure the confidence test. Display the help menu for agentcfg. 3. Type agentcfg and one or more of the supported arguments at the prompt. You must type agentcfg before every argument to run the agent configuration tool. Table 8. Arguments Argument Syntax -argument -argument <value> Argument Example For example, type agentcfg -list This example lists all agents on the local host IP address. Note that the default node for the Tivoli Identity Manager Server is 44970. Agent(s) installed on node 127.0.0.1 ----------------------- TAM4Agent (44970) For example, type agentcfg -agent TAM4Agent This example displays the main menu of the agentcfg tool which is used to view or modify the Tivoli Access Manager Agent parameters. -argument <value> -argument or -argument -argument <value> -argument <value> -argument <value> For example, type agentcfg -list -hostname 192.9.200.7 This example lists agents on a host whose IP address is 192.9.200.7. Note that the default node for the Tivoli Access Manager Agent is 44970. Agent(s) installed on node 192.9.200.7 ------------------ TAM4Agent (44970) For example, type agentcfg -agent TAM4Agent -hostname 192.9.200.7 This example displays the main menu of the agentcfg tool for a host whose IP address is 192.9.200.7. Use the menu options to view or modify the Tivoli Access Manager Agent parameters. 28 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Chapter 5. Certificate Installation This chapter describes how to use the provided certificate management tool (CertTool) to install and configure digital certificates for a Tivoli Identity Manager Agent. The industry-standard Secure Sockets Layer (SSL) mechanism, which uses digital certificates for authentication, is used for secure communication between the Tivoli Identity Manager Server and an Agent. For a production environment, you must obtain and use a signed production certificate from a well-known Certificate Authority, or from your own Certificate Authority, to ensure secure communications. The agent does not come prepackaged with a certificate. This chapter provides information for managing digital certificates on the Tivoli Identity Manager Agent only. Please refer to the Managing Digital Certificates chapter in the IBM Tivoli Identity Manager System Configuration Guide for information about configuring the Tivoli Identity Manager Server for SSL. Note: If you install, modify, or delete a certificate, you must stop and restart the agent before the changes will take affect. Overview of SSL and Digital Certificates A Tivoli Identity Manager deployment must consider the security of communication between all configured components. The industry-standard Secure Sockets Layer (SSL) mechanism, which uses digital certificates for authentication, is used for secure communication in a Tivoli Identity Manager deployment. SSL provides secure connections by allowing two applications connecting over a network connection to authenticate each other s identity. Additionally, SSL provides encryption of the data exchanged between the applications. Authentication allows a server (one-way) to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient. Features of SSL include the following concepts: v SSL provides a mechanism for one application to authenticate itself to another application. v One-way SSL allows one application to be certain of the identity of the other application. v The application that assumes the server role possesses and uses a server-side certificate to prove its identity to the client application. v The application that is presented with a certificate must have in its possession the root certificate (or certificate chain) of the Certificate Authority (CA) that signed the certificate being presented. The root CA certificate, or chain, validates the certificate being presented. v In client connections, the client browser alerts the user when presented with a certificate that is not issued by a recognized Certificate Authority. Note: Although the agent supports two-way SSL, Tivoli Identity Manager no longer supports two-way authentication. Copyright IBM Corp. 2003 29

Basic Configuration for Server-to-Agent SSL The following information pertains to a Tivoli Identity Manager deployment on either the WebSphere or the WebLogic application server. In this scenario, the Tivoli Identity Manager Server initiates communication with the agent (server-to-agent) to complete a transaction originating from the browser. Deployment summary: v The Tivoli Identity Manager Server and the agent use one-way authentication over SSL. v RSA SSL-C or Open SSL is used. The Tivoli Identity Manager Agent must have a valid signed certificate; the Tivoli Identity Manager Server must have the corresponding CA certificate. Note: In the diagram below, ITIM Server refers to the IBM Tivoli Identity Manager Server. ITIM Application Server WebSphere or WebLogic ITIM Server CA Cert A One-way SSL Cert A Agent Resource Figure 2. Configuration for Server-to-Agent SSL Clustered Tivoli Identity Manager Configuration In a clustered configuration, the Tivoli Identity Manager System uses one Web Server to manage and load balance multiple Tivoli Identity Manager Servers. Each Tivoli Identity Manager Server must have a valid CA certificate. All agents must have associated CA and signed certificates. Accessing the Certificate Configuration Tool Main Menu The following procedure describes how to access the main menu of the CertTool utility for Tivoli Access Manager Agent certificate parameters. 1. Select Programs from the Start menu, select Accessories, and then select Command Prompt. The Microsoft Windows DOS Command Prompt window appears. 2. Change to the agent s bin directory. 30 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

If the Tivoli Access Manager Agent directory is in the default location, type cd \Tivoli\Agents\TAM4Agent\bin. 3. Type CertTool -agent TAM4Agent at the prompt. The Main Configuration menu appears: Main menu - Configuring agent: TAM4Agent ------------------------------ A. Generate private key and certificate request B. Install certificate from file C. Install certificate and key from PKCS12 file D. View current installed certificate E. List CA certificates F. Install a CA certificate G. Delete a CA certificate H. List registered certificates I. Register certificate J. Unregister a certificate X. Quit Choice: Obtaining and installing a signed certificate: The first set of options allows you to generate a Certificate Signing Request (CSR) and install the returned signed certificate for the agent itself. The options here are: A B C D Generate a Certificate Signing Request (CSR) that is sent to the Certificate Authority (CA), and the associated private key. Install a certificate from a file. This file must be the signed certificate returned by the CA in response to the CSR generated by option A. Install a certificate from a PKCS12 format file that includes both the public certificate and a private key. If options A and B are not used to obtain a certificate, the certificate used must be in PKCS12 format. View all certificates installed on the system. Additional configuration for two-way SSL: The remaining options only apply if client validation (two-way authentication) is required and enabled. Note: Although the agent supports two-way SSL, Tivoli Identity Manager no longer supports two-way authentication. The second set of options allows installing root CA certificates. The CA certificates are used by the Tivoli Identity Manager Agent to validate the associated certificates presented by the Tivoli Identity Manager Servers. E F Show the installed CA certificates. The agent only communicates with Tivoli Identity Manager Servers whose certificates are validated by one of the installed CA certificates. Install a new CA certificate so that certificates generated by this CA can be validated. The CA certificate file can be either in X.509, binary, or PEM encoded formats. Chapter 5. Certificate Installation 31

G Remove one of the installed CA certificates. Registering a signed certificate for two-way SSL: The remaining options only apply if client validation (two-way authentication) is required and enabled. Note: Although the agent supports two-way SSL, Tivoli Identity Manager no longer supports two-way authentication. The third set of options allows the agent to register the Tivoli Identity Manager Server signed certificate. The Tivoli Identity Manager Server s signed certificate is then validated by the agent when two-way SSL communication is established. If the Tivoli Identity Manager Server s signed certificate is validated by one of the Agent s CA certificates but not registered with the Agent, the Agent will refuse to communicate with the Tivoli Identity Manager Server. H I J List all registered certificates that will be accepted for communications. Register a new certificate. The certificate to be registered should be in Base 64 encoded X.509 format. Unregister (remove) a certificate from the registered list. This chapter includes a section for each of the following main functions: v For option A, see Generating a Private Key and Certificate Request. v For option B, see Installing the Certificate from a File on page 34. v For option C, see Installing the Certificate and Key from a PKCS12 File on page 34. v For option D, see Viewing Installed Certificates on page 34. v For option E, see Viewing CA Certificates on page 34. v For option F, see Installing a CA Certificate on page 35. v For option G, see Deleting a CA Certificate on page 35. v For option H, see Viewing Registered Certificates on page 35. v For option I, see Registering a Certificate on page 35. v For option J, see Unregistering a Certificate on page 36. Type X to return to the main menu. Generating a Private Key and Certificate Request The following procedure describes how to view the Tivoli Access Manager Agent configuration settings. 1. Type option A (Generate a private key and certificate request) at the main menu prompt. Enter values for certificate request (press enter to skip value) ------------------------------------------------------------------------- 2. Type your organization name and press Enter. Organization: 3. Type the desired organizational unit and press Enter. Organizational Unit: 4. Type the name of the agent you are requesting a certificate for and press Enter. 32 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Agent Name: 5. Type the contact email address and press Enter. Email: 6. Type the country in which the agent resides and press Enter. Country: 7. Type the state in which the agent resides (if the agent is located in the United States) and press Enter. State: Note: Some certificate authorities do not accept two letter abbreviations for states. 8. Type the name of the city in which the agent resides and press Enter. Locality: 9. Type Y to accept the values displayed or type N to re-enter the values and press Enter. Accept these values (y/n)? The key pair and certificate request are generated once the values are accepted. 10. Type the name of the file to store the PEM certificate request and press Enter. Enter name of file to store PEM cert request (Enter to cancel): 11. Press Enter. The main menu reappears. You must now request a certificate from a trusted certificate authority. Example of Certificate Request Script The following is an example of a certificate request: Enter values for certificate request (press enter to skip value) ----------------------------------------------------------------- Organization: ibm Organizational Unit: engineering Agent Name: ntagent Email: admin@ibm.com Country: US State: California Locality: Irvine Accept these values (y/n)? y Generating key pair and certificate request... Enter name of file to store PEM cert request (Enter to cancel) : request.pem Certificate request written to request.pem. Press Enter to continue. Example of request.pem File -----BEGIN CERTIFICATE REQUEST----- MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n aw5lzxjpbmcxedaobgnvbamtb250ywdlbnqxjdaibgkqhkig9w0bcqewfw50ywdl bnraywnjzxnzmzywlmnvbtelmakga1uebhmcvvmxezarbgnvbagtcknhbglmb3ju awexdzanbgnvbactbklydmluztcbnzanbgkqhkig9w0baqefaaobjqawgykcgyea mr6acpnwf6hllc72bmukawaxcebtxcocnnth9uc8vumhpbimagjuc4s91hprilg7 UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr 6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3 DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2 -----END CERTIFICATE REQUEST----- Chapter 5. Certificate Installation 33

Installing the Certificate from a File The following procedure describes how to install a certificate in the agent registry. This is the certificate you receive from your trusted certificate authority after submitting your certificate request. Note: If you received the certificate as part of an e-mail message, copy the text of the certificate to a text file and copy the certificate file (the text file you just created) to the agent s bin directory. 1. Type B (Install certificate from file) at the main menu prompt. A prompt appears: Enter name of certificate file: 2. Type the name of the certificate file and press Enter. The certificate is installed in the agent registry and the main menu reappears. Installing the Certificate and Key from a PKCS12 File The following procedure describes how to install the certificate and the private key in the agent registry from a PKCS12 (.pfx) file. This format includes both the certificate and private key in a password protected file. Note: Be sure to copy the certificate file to the agent s bin directory. For example, C:\Tivoli\Agents\<agentname>\bin 1. Type C (Install certificate and key from PKCS12 file) at the main menu prompt. 2. Type the name of the PKCS12 file that has the certificate and private key information and press Enter. Enter name of PKCS12 file: For example, DamlSrvr.pfx 3. Type the password to access the file and press Enter. Enter password: Viewing Installed Certificates Viewing CA Certificates The certificate and private key are installed in the agent registry. You can list all of the certificates installed on your system using option D (View currently installed certificates). Type D (View currently installed certificates) at the main menu prompt. The installed certificates are listed and the main menu reappears. The following is an example of an installed certificate: The following certificate is currently installed. Subject: c=us,st=california,l=irvine,o=daml,cn=daml Server The following procedure describes how to list all CA certificates installed on the agent. Type E (List CA certificates) at the main menu prompt. 34 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Installing a CA Certificate Deleting a CA Certificate The installed CA certificates are listed and the main menu reappears. The following is an example only. Subject: o=ibm,ou=samplecacert,cn=testca Valid To: Wed Jul 26 23:59:59 2006 The following procedure describes how to install a CA certificate. 1. Type F (Install a CA certificate) at the main menu prompt. A prompt appears: Enter name of certificate file: 2. Type the name of the certificate file and press Enter. The certificate file is opened and a prompt appears: e=admin@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng Install the CA? (Y/N) 3. Type Y to install the certificate and press Enter. The CA certificate file is installed in the CACerts.pem file. The following procedures describe how to delete a CA certificate from the agent directories. 1. Type G (Delete a CA certificate) at the main menu prompt. A list of all CA certificates installed on the agent is displayed. 0 - e=admin@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng 1 - e=support@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=support,cn=support Enter number of CA certificate to remove: 2. Type the number of the CA certificate you want to remove and press Enter. The CA certificate is deleted from the CACerts.pem file and the main menu reappears. Viewing Registered Certificates Registering a Certificate The following procedures describe how to view a list of all registered certificates available to the agent. Only requests that present a registered certificate will be accepted by the agent when client validation is enabled. Type H (List registered certificates) at the main menu prompt. The registered certificates are displayed and the main menu reappears. The following is an example only. 0 - e=admin@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng 1 - e=support@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=support,cn=support The following procedures describe how to register a certificate for the agent. 1. Type I (Register certificate) at the main menu prompt. A prompt appears: Enter name of certificate file: 2. Type the name of the certificate file to be registered and press Enter. The subject of the certificate is displayed and a prompt appears. Chapter 5. Certificate Installation 35

Unregistering a Certificate e=admin@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng Register this CA? (Y/N) 3. Type Y to register the certificate and press Enter. The certificate is registered to the agent and the main menu reappears. The following procedures describe how to unregister a certificate for the agent. 1. Type J (Unregister a certificate) at the main menu prompt. The registered certificates are displayed. The following is an example only. 0 - e=admin@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng 1 - e=support@ibm.com,c=us,st=california,l=irvine,o=ibm,ou=support,cn=support 2. Type the number of the certificate file to be unregistered and press Enter. The subject of the selected certificate is displayed. 3. Type Y to unregister the certificate and press Enter. The certificate is removed from the registered certificate list for the agent and the main menu reappears. 36 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Appendix A. Agent Variables Variable Descriptions The Tivoli Access Manager Agent consists of files and directories owned by the Tivoli Identity Manager account. The Tivoli Identity Manager-owned files establish communication with the Tivoli Identity Manager Server. The Tivoli Identity Manager Server communicates with the Tivoli Access Manager Agent using variables included in transmission packets sent over a network. The combination of variables, included in the packets, depends on the type of action the Tivoli Identity Manager Server requests from the Tivoli Access Manager Agent. The following table is an alphabetical listing of the variables used by the Tivoli Access Manager Agent. The table gives a brief description and the data format associated with the variable. Table 9. Variable descriptions Variable Directory Server Attribute Description Data Type UserName eruid User Login Id String dn dn The Relative Distinguished Name of a container object in which to create the user account. Input Field cn cn Container Object of user s Full Name Input Field sn sn User s Last Name Input Field description description Description of the Input Field user account erpassword erpassword Login Id Password ertam4groupmember ertam4groupmember LDAP Group Membership - Displays Names of Groups ertam4passwordpolicy ertam4passwordpolicy A flag to indicate if the user s password policy is not enforced ertam4singlesign ertam4singlesign Single Sign-on Capability ertam4maxfailedlogon ertam4maxfailedlogon Maximum Numbers of Failed Log on Character String Password List box Boolean Check Box Boolean Check Box Integer Copyright IBM Corp. 2003 37

Table 9. Variable descriptions (continued) Variable Directory Server Attribute Description Data Type ertam4expirepass ertam4expirepass A flag to indicate if the user password is expired GroupType ertam4grouptype Group Type - which the member belongs to eraccountstatus eraccountstatus A flag to indicate if the account is or should be disabled. This can be Yes/No USER ertam4account RDN Attribute for eruid (User Login Id) GROUP ertam4grouplist RDN Attribute for ertam4 GroupMember Boolean Check Box Character string Character string. String List Box Variables by Tivoli Access Manager Agent Actions The following lists are typical Tivoli Access Manager Agent actions by their functional transaction group. The lists include more information about required and optional variables sent to the Tivoli Access Manager Agent to complete that action. System Login Add A Login Add is a request to create a new user account in the domain with the specified attributes. Table 10. Add function attributes Required Variables UserName Optional Variables All other supported attributes. dn cn sn System Login Change Use the Change function to change one or more attributes for the specified users. Table 11. Change function attributes Required Variables UserName Optional Variables All other supported attributes. 38 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

System Login Delete The Delete function removes the specified user from the active directory. Table 12. Delete function Required Variables UserName Optional Variables None System Login Suspend Use the Suspend function to disable a user account. The user is neither removed nor are their attributes modified. Table 13. Suspend function Required Variables UserName Optional Variables None System Login Restore Use the Restore function to re-activate a user account that was previously suspended. After Restoring, the user can access the system with the same attributes as those before the Suspend function is called. Table 14. Suspend function Required Variables UserName Optional Variables None Reconciliation The Reconciliation function synchronizes user account information between Tivoli Identity Manager and the agent. The following is a full set of access attributes returned by reconciliation. An asterisk (*) denotes attributes that are for informational purposes only. Table 15. Reconciliation function Attributes Returned During Reconciliation UserName sn description ertam4maxfailedlogon dn ertam4passwordpolicy cn ertam4expirepass ertam4singlesign ertam4groupmemeber Appendix A. Agent Variables 39

40 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Appendix B. Additional Installation Options Installation Options Agent Removal This chapter describes installation options available when installing the agent. In addition to installation information, instructions are provided to uninstall the agent. Each step includes a short procedure that completes one aspect of the overall agent uninstall process. You must complete the steps in the order they are listed. Several agent installation options are provided to account for disparate environments and preferences. Batch File Option The setupconsole.exe file is provided to allow you to install the agent using a batch file. The setupconsole.exe file is different from setup.exe in that setupconsole.exe will wait for the java process to complete and return the exit code. This allows a batch file to branch based on the results of the setup. Console Option Use the following command to install the agent from a console or command line: <agent or profile install>.exe -is:javaconsole -console This performs a console-based installation that does not require a GUI. This is useful on machines that install through a telnet session. Setup Arguments This section details arguments that can be used with the agent and agent profile installation executables. All of the arguments described here can be used with the -is:javaconsole -console option to use a command line text interface instead of a GUI. <agent or profile install>.exe -options-record <filename> This command records the options that were selected during the install into a file. <agent or profile install>.exe -options-template <filename> This command creates a template file that has fields for all of the options that may be selected during installation. This file can then be edited to include the desired responses and played back with the option below. <agent or profile install>.exe -options-silent <filename> This command plays back the previously recorded file during a silent installation where installation is performed with no user interaction. This section describes the Tivoli Access Manager Agent uninstall procedures. Give users advance warning that the resource will be unavailable prior to removing the agent. If the server is taken offline, Tivoli Access Manager Agent requests that are not completed may not be recoverable when the server is back online. Copyright IBM Corp. 2003 41

Complete the following procedure to remove the Tivoli Access Manager Agent and directories. 1. Stop the Tivoli Access Manager Agent service. 2. Open Windows Explorer and execute uninstaller.exe. The Welcome dialog window appears. 3. Click Next. The Tivoli Access Manager Agent uninstallation summary dialog window appears. 4. Click Next. The Tivoli Access Manager Agent components are deleted. 5. Click Finish. Note: Inspect the directory tree for Tivoli Access Manager Agent directories, subdirectories, and files to verify that uninstall is complete. The Tivoli Access Manager Agent should no longer appear in the Services dialog window. 42 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Appendix C. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 2003 43

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DB2 IBM IBM logo SecureWay Tivoli Tivoli logo Universal Database WebSphere Lotus is a registered trademark of Lotus Development Corporation and/or IBM Corporation. Domino is a trademark of International Business Machines Corporation and Lotus Development Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. 44 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. Appendix C. Notices 45

46 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Index A activity logging 22 administrator authority 3 agent as a service 6 certificate installation 6 configuration overview 6 event notification configuration 7 form configuration 7 installation arguments 41 batch file 41 console 41 overview 1 uninstall 41 wizard 4 profile installation 9 purpose 9 requirements 9 profile installation 6 removal 41 variables by Tivoli Access Manager Agent action 38 descriptions 37 agent configuration tool See agentcfg agentcfg arguments, use 26 changing agent parameters accessing 13 configuration key 21 protocol settings 14 registry settings 24 request processing 25 menus activity logging 22 advanced settings 25 event notification 17 help 26 Main Configuration 13 Protocol Configuration 14 registry 24 viewing configuration settings 14 B bold text vi C certificate CA available functions 31 deleting 35 installing 35 viewing installed 34 CertTool 29 configuration settings, changing with CertTool 31 certificate (continued) example request script 33 request.pem file 33 install from file 34 sample 34 protocol configuration tool See CertTool registered registering 35 removing 36 viewing 35 request 32 viewing installed 34 registered 35 CertTool CA certificate deleting 35 installing 35 viewing 34 certificate install 34 register 32 request 32 viewing installed 34 viewing registered 35 changing agent parameters accessing 30 options 31 install, certificate 34 private key, generating 32 registered certificate registering 35 removing 36 viewing 35 character sets, support 25 configuration key changing with agentcfg 21 default value 13, 21 purpose 13 settings changing with agentcfg 13 default value 14 viewing with agentcfg 14 D DAML protocol options 16 properties, changing with agentcfg options 16 password 16 portnumber 16 srv_nodename 16 srv_password 17 srv_portnumber 16 srv_username 17 username 16 Copyright IBM Corp. 2003 47

DAML protocol (continued) properties, changing with agentcfg (continued) validate_client_ce 17 debug log default value 22 enable/disable with agentcfg 22 purpose 23 detail log default value 22 enable/disable with agentcfg 22 purpose 23 documents accessing online vi E encrypted registry settings 24 encryption default value 16 type 16 event notification cache size 18 changing with agentcfg 17 context baseline database 21 deleting 19 listing 19 modifying 20 search attributes 20 target DN 21 enable/disable 18 reconciliation attributes 18 context 19 intervals 18 modifying 19 process priority 19 starting manually 18 H help menu for agentcfg accessing with -help command 26 arguments -agent 27 -confidencetest 27 -findall 27 -help 27 -hostname 27 -list 27 -netsearch 27 -portnumber 27 -schema 27 -setup 27 -tail 27 -version 27 I information worksheet 3 installation information worksheet 3 installation requirements administrator authority 3, 9 network connectivity 3 operating system 3 server 3, 9 installation requirements (continued) server communication 3 system 3 italic text i L log directory, changing with agentcfg 22 enable/disable, changing with agentcfg 22 file name, changing with agentcfg 22, 23 settings, changing with agentcfg base logging 23 enable/disable 22 enable/disable debug mode 23 enable/disable detail mode 23 log file directory 22 log file name 23 max file size 23 max files 23 settings, default values 22 statistics 26 M monospace text vii N network connectivity 3 non-encrypted registry settings 24 O operating system requirements 3 P password changing with agentcfg 16 purpose 16 set value in Agent Maintenance 16 portnumber changing with agentcfg 16 purpose 16 set value in Agent Maintenance 16 protocol adding with agentcfg 15 configuring with agentcfg 15 removing with agentcfg 15 publications accessing online vi R reconciliation variables 39 registry settings encrypted 24 non-encrypted 24 return type records TRUE/FALSE default value 16 48 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

S server requirements 3, 9 srv_nodename, changing with agentcfg 16 srv_password, changing with agentcfg 17 srv_portnumber, changing with agentcfg 16 srv_username, changing with agentcfg 17 system requirements 3 T thread count settings changing with agentcfg 25 default values 25 maximum concurrent requests 25 reconciliation requests 25 system login add requests 25 system login change requests 25 system login delete requests 25 Tivoli Identity Manager clustered configuration 30 U username, changing with agentcfg 16 UTF8 support 25 V validate_client_ce, changing with agentcfg 17 variables by Tivoli Access Manager Agent action add 38 change 38 delete 39 reconciliation 39 restore 39 suspend 39 descriptions 37 W western European character set, support 25 Index 49

50 IBM Tivoli Identity Manager: Tivoli Access Manager Agent for Windows Installation Guide

Printed in U.S.A. SC32-1165-03